Heartbleed: Tech Support Post #1
So, it looks as if I'm going to be doing three different posts on this! I'll do a post later in which I attempt to translate What Actually Happened from Jargonese into English, on the off-chance that anyone will be interested. I'm also going to do a post on Why I Totes Love My Password Manager. But today, today we have the Making Of Lists.
Bottom line on Heartbleed: virtually everyone with an online presence has been, to some degree, vulnerable. The important question is, what do you do now?
You must change every password you have on any site that was compromised - or else make a conscious choice not to change it, knowing that the internet criminal underworld now has it. The Russian mafia isn’t all that interested in cats or gifsets of the Avengers, so that part is up to you.
Not only that: there’s no point in changing a password until after a given site is secured. There’s no need to change a password for sites that were never compromised - unless you reused the password, or a close variation of it - assuming you trust the assurance that the site wasn’t actually vulnerable.
So, here’s my list, based on a metric buttload of research and investigation I did last week as part of my job. You are, of course, free to regard my list as non-credible, or do your own list, or shrug off the threat and go look at kitties instead. ;-) Personally, I’ve been hard at the Changing of the Passwords, and I have quite a few more ahead of me.
The following sites were vulnerable, and have confirmed that they are now patched and secure:
Facebook
Instagram
Yahoo
Dropbox
Tumblr
Pinterest
Dreamwidth
Fanfiction.net
Etsy
YouTube
Imgur
Flickr
Wikipedia
Netflix
Soundcloud
OK Cupid
GitHub
Google has been inconsistent. At one point, they acknowledged that they were vulnerable; at another point, they declared that they had additional safeguards that meant people didn’t have to change their passwords, at least not for Gmail. I’m having trouble feeling truly confident*, so I changed that password.
Likewise, LiveJournal might have been exposed, and I’m advising password changes on general principles. I don’t have much trust in LJ’s current owners. Wordpress is another one that’s not very clear; I changed that.
The following sites and services were definitely never exposed to Heartbleed, and I believe them:
Dashlane and LastPass (the two leading password managers)
SpiderOak (a cloud backup service that I use)
Ravelry
AOL
Most banking sites, most US government sites, and most major vendors were not exposed. These are also on the “safe list” -- although, to be honest, I'm doing a lot of new passwords here as well. I'm just not prioritizing them.
Amazon.com (but not Amazon Webservices, where a lot of other stuff is hosted)
Most travel sites (Expedia, Orbitz, Travelocity, Priceline)
Paypal
Ebay
Shopify (runs the shopping cart for many small web shops)
LinkedIn
Photobucket
AO3
IRS
This short list is based on the sites I use, or that people on my Flist are likely to use (well, maybe not OK Cupid and GitHub). You can check out the Great Big List of the Top 10,000 Sites right here (do a Find for a given URL). You can test an individual site for vulnerability here (LastPass' Heartbleed checker), here (filippo.io), or here (Qualys SSL Labs). Be aware, however, that these checkers have limitations: in particular, although they can tell you if a site is safe now, they're less authoritative about whether a site was vulnerable or not originally.
So, GAHHH THAT IS A LOT OF PASSWORDS HELLLLLP. Right? Well, in fact, there is help! For my next thrilling installment, I will tell you about my password manager. (Pause to get popcorn.)
*Actually, I'm pissed off at them for not just saying "Yo, folks, do it."
Bottom line on Heartbleed: virtually everyone with an online presence has been, to some degree, vulnerable. The important question is, what do you do now?
You must change every password you have on any site that was compromised - or else make a conscious choice not to change it, knowing that the internet criminal underworld now has it. The Russian mafia isn’t all that interested in cats or gifsets of the Avengers, so that part is up to you.
Not only that: there’s no point in changing a password until after a given site is secured. There’s no need to change a password for sites that were never compromised - unless you reused the password, or a close variation of it - assuming you trust the assurance that the site wasn’t actually vulnerable.
So, here’s my list, based on a metric buttload of research and investigation I did last week as part of my job. You are, of course, free to regard my list as non-credible, or do your own list, or shrug off the threat and go look at kitties instead. ;-) Personally, I’ve been hard at the Changing of the Passwords, and I have quite a few more ahead of me.
The following sites were vulnerable, and have confirmed that they are now patched and secure:
Yahoo
Dropbox
Tumblr
Dreamwidth
Fanfiction.net
Etsy
YouTube
Imgur
Flickr
Wikipedia
Netflix
Soundcloud
OK Cupid
GitHub
Google has been inconsistent. At one point, they acknowledged that they were vulnerable; at another point, they declared that they had additional safeguards that meant people didn’t have to change their passwords, at least not for Gmail. I’m having trouble feeling truly confident*, so I changed that password.
Likewise, LiveJournal might have been exposed, and I’m advising password changes on general principles. I don’t have much trust in LJ’s current owners. Wordpress is another one that’s not very clear; I changed that.
The following sites and services were definitely never exposed to Heartbleed, and I believe them:
Dashlane and LastPass (the two leading password managers)
SpiderOak (a cloud backup service that I use)
Ravelry
AOL
Most banking sites, most US government sites, and most major vendors were not exposed. These are also on the “safe list” -- although, to be honest, I'm doing a lot of new passwords here as well. I'm just not prioritizing them.
Amazon.com (but not Amazon Webservices, where a lot of other stuff is hosted)
Most travel sites (Expedia, Orbitz, Travelocity, Priceline)
Paypal
Ebay
Shopify (runs the shopping cart for many small web shops)
Photobucket
AO3
IRS
This short list is based on the sites I use, or that people on my Flist are likely to use (well, maybe not OK Cupid and GitHub). You can check out the Great Big List of the Top 10,000 Sites right here (do a Find for a given URL). You can test an individual site for vulnerability here (LastPass' Heartbleed checker), here (filippo.io), or here (Qualys SSL Labs). Be aware, however, that these checkers have limitations: in particular, although they can tell you if a site is safe now, they're less authoritative about whether a site was vulnerable or not originally.
So, GAHHH THAT IS A LOT OF PASSWORDS HELLLLLP. Right? Well, in fact, there is help! For my next thrilling installment, I will tell you about my password manager. (Pause to get popcorn.)
*Actually, I'm pissed off at them for not just saying "Yo, folks, do it."